b' FEDERAL INFORMATION SECURITY\n    MANAGEMENT ACT REPORT\n\n\n                 Fiscal Year 2004\nEvaluation of the Social Security Administration\'s\n          Compliance with the Federal\n     Information Security Management Act\n\n\n\n\n                       A-14-04-14040\n\n\n  September 2004   Patrick P. O\xe2\x80\x99Carroll, Jr. \xe2\x80\x93 Acting Inspector General\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration\'s programs, operations, and management and in\nour own office.\n\x0c                                            SOCIAL SECURITY\nMEMORANDUM\n\nDate:   September 30, 2004                                                 Refer To:\n\nTo:     The Commissioner\n\nFrom:   Acting Inspector General\n\nSubject: Fiscal Year 2004 Evaluation of the Social Security Administration\xe2\x80\x99s Compliance with the\n        Federal Information Security Management Act (A-14-04-14040)\n\n\n        OBJECTIVE\n\n        Our objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA)\n        overall security program and practices complied with the requirements of the Federal\n        Information Security Management Act (FISMA) of 2002.1 We also reviewed the\n        Agency\xe2\x80\x99s efforts to reach green on the security portion of the expanded electronic\n        Government (eGovernment) initiative of the President\xe2\x80\x99s Management Agenda (PMA).\n        Our analysis included an evaluation of SSA\xe2\x80\x99s plan of action and milestones (POA&M),\n        certification and accreditation (C&A), and systems inventory processes.\n\n        BACKGROUND\n        FISMA requires Federal agencies to create protective environments for their information\n        systems. It does so by creating a framework, which includes annual Information\n        Technology (IT) security reviews, vulnerability reporting, and remediation planning.2 In\n        August 2001, the PMA was initiated to improve the management and performance of\n        Government by focusing on citizen-centered, results-oriented, and market-based\n        services.\n\n        The Office of Management and Budget (OMB) developed a traffic light scorecard to\n        show the progress agencies made: green for success, yellow for mixed results, and red\n        for unsatisfactory. One of the five Government-wide PMA initiatives is to increase the\n        number of Government services available to the public electronically, through the\n        Internet. This initiative is known as expanded electronic Government or eGovernment.\n        SSA\xe2\x80\x99s current status is yellow and its score for progress in implementing eGovernment\n        services is green. Many of the elements of the eGovernment initiative overlap or\n        duplicate the requirements of FISMA. See Appendix C for more background.\n\n\n        1\n            Pub. L. No. 107-347, Title III, Sec. 301.\n        2\n            Pub. L. No. 107-347, Title III, Sec. 301, \xc2\xa7 3544.\n\x0cPage 2 \xe2\x80\x93 The Commissioner\n\n\nSCOPE AND METHODOLOGY\nFISMA directs each agency\xe2\x80\x99s Office of the Inspector General (OIG) to perform an\nannual, independent evaluation of the agency\xe2\x80\x99s information security program and\npractices.3 The OIG contracted with PricewaterhouseCoopers LLP (PwC) to audit\nSSA\xe2\x80\x99s Fiscal Year (FY) 2004 financial statements.4 Because of the extensive internal\ncontrol system work that is completed as part of that audit, our FISMA review\nrequirements were incorporated into the PwC financial statement audit contract. This\nevaluation included reviews of SSA\xe2\x80\x99s mission critical sensitive systems. These reviews\nfollowed the Government Accountability Office\xe2\x80\x99s (GAO) Federal Information System\nControls Audit Manual. 5 PwC performed an \xe2\x80\x9cagreed-upon procedures\xe2\x80\x9d engagement\nusing FISMA, OMB, National Institute of Standards and Technology (NIST) guidance,\nand other relevant security laws and regulations as a framework to complete the\nrequired OIG review of SSA\xe2\x80\x99s information security program and its sensitive systems.6\nAs part of this evaluation, we also reviewed the Agency\xe2\x80\x99s compliance with the PMA\xe2\x80\x99s\neGovernment initiative. See Appendix D for more details on our Scope and\nMethodology.\n\nSUMMARY OF RESULTS\n\nDuring our FY 2004 FISMA evaluation, we determined that SSA has generally met the\nrequirements of FISMA and the security portion of the PMA eGovernment initiative. SSA\nhas made improvements over the past year to further strengthen its compliance with\nFISMA. The Agency has worked diligently to reach green on the PMA\xe2\x80\x99s eGovernment\ninitiative.\n\nTo fully meet the FISMA and PMA requirements and enhance SSA\xe2\x80\x99s information\nmanagement in this area, SSA should:\n\n      \xe2\x80\xa2   complete the implementation of the Automated Security Self-Evaluation and\n          Remediation Tracking (ASSERT) system as specified in SSA\xe2\x80\x99s security policy\n          and use the system to generate the POA&M reports;\n\n      \xe2\x80\xa2   develop and enforce policies for the systems inventory to ensure the inventory is\n          updated each year;\n\n\n\n\n3\n    Pub. L. No. 107-347, Title III, Sec. 301, \xc2\xa7 3545.\n4\n    OIG Contract Number GS23F8126H, dated March 16, 2001. FY 2004 option was exercised\n    on November 22, 2003.\n5\n    GAO Federal Information Systems Controls Audit Manual, Volume I: Financial Statement Audits,\n     GAO/AMID-12.19.6, June 2001.\n6\n    OMB Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Information\n    Security Management Act, August 23, 2004 and NIST Special Publication 800-26, Security\n    Self-Assessment Guide for Information Technology Systems, November 2001.\n\x0cPage 3 \xe2\x80\x93 The Commissioner\n\n\n      \xe2\x80\xa2   continue to ensure that C&As are properly updated every 3 years or when a\n          significant change occurs and new C&As are prepared for any new major\n          system;\n\n      \xe2\x80\xa2   develop and implement a methodology to accurately track and monitor IT\n          security training; and\n\n      \xe2\x80\xa2   fully test its continuity of operations plan (COOP).\n\nPRESIDENT\xe2\x80\x99S MANAGEMENT AGENDA \xe2\x80\x93 GETTING TO GREEN\n\nAccording to the standards of the PMA, to get to green on its PMA eGovernment\nscorecard, an agency must:\n\n\xe2\x80\xa2     prepare quarterly status reports that document sustained progress in remediating IT\n      security weaknesses; and\n\n\xe2\x80\xa2     have the Inspector General verify that there is an effective Department-wide IT\n      security remediation process; and\n\n\xe2\x80\xa2     have 90 percent of operational IT systems properly secured (certified and\n      accredited) including mission critical systems.7\n\nWe reviewed SSA\xe2\x80\x99s remediation and C&A processes. Based on these analyses, SSA\nhas generally met the above standards as set by the PMA.\n\nSSA IMPLEMENTED ASSERT TO MONITOR ITS REMEDIATION PROCESS AND\nGENERATE POA&MS\n\nDuring FY 2004, SSA implemented the ASSERT tool as the focal point of its\nremediation process. According to the Agency, ASSERT will monitor all security\ndeficiencies and enable SSA to accumulate all system weaknesses and remediation\nsteps in a single location. ASSERT features include tracking the weakness by title and\nsource, identifying the individual responsible for resolving the weakness, and providing\nthe status on the resolution of the weakness. SSA plans to include ASSERT policies\nand procedures in its Systems Security Handbook. Based on our review of the\nASSERT tool and the assessment of the compensating manual controls currently in\nplace until the system is fully implemented, the process generally met the OMB\nrequirements.8\n\nThe Agency has input into ASSERT the remediation tasks and scheduled completion\ndates for the weaknesses that will be in its quarterly status report to OMB. Additionally,\nSSA has completed a NIST Self-Assessment for each of its major systems, which were\n7\n    http://www.results.gov/agenda/standards.pdf as of September 1, 2004.\n8\n    OMB Memorandum M-04-25, Reporting Instructions for the Federal Information Security Management\n    Act and Updated Guidance on Quarterly IT Security Reporting, August 23, 2004, page 14.\n\x0cPage 4 \xe2\x80\x93 The Commissioner\n\n\nalso included in ASSERT.9 SSA manually generated its September 15, 2004 quarterly\nPOA&M update report; however, the December 15, 2004 quarterly POA&M update\nreport should be automatically generated from ASSERT. The manually prepared\nPOA&Ms were effective for tracking the weaknesses designated as reportable to OMB\nby SSA.\n\nThe Office of the Chief Security Officer (CSO) coordinates with other components in the\nAgency, specifically the Office of Finance, Assessment and Management and the Office\nof Systems\xe2\x80\x99 Office of Telecommunications and Systems Operation (OTSO) to ensure\nthat all security weaknesses are incorporated into ASSERT. OMB guidance requires\nthat agencies also report, \xe2\x80\x9c\xe2\x80\xa6all security weaknesses found during any other review\ndone by, for, or on behalf of the agency, including GAO audits, financial systems audits,\nand critical infrastructure vulnerability assessments.\xe2\x80\x9d10 SSA reported 13 security\nweaknesses to OMB in its September 2004 POA&M report. In addition, SSA is tracking\nover 100 other security weaknesses and their remediations that the Agency identified as\nnon-OMB reportable.\n\nSSA stated that remediation tasks and scheduled completion dates for all weaknesses\nshould be input into ASSERT by December 2004. When ASSERT is fully implemented\nand complies with the current policies, the effectiveness of the Agency-wide IT security\nremediation process should be improved.\n\nOMB guidance states that the Agency needs to meet the requirements of development,\nimplementation, and management of an agency-wide POA&M process.11 Based on our\nanalysis, the ASSERT tool and the interim compensating manual controls generally met\nthe requirements set by OMB for an effective POA&M process.\n\nSSA IDENTIFIED ALL PROGRAMS, SYSTEMS AND SUBSYSTEMS\n\nFISMA requires that agencies develop and maintain an inventory of major information\nsystems.12 Program officials and Chief Information Officers (CIO) are responsible for\nreviewing the security of all programs and systems under their respective control. In\nFY 2004, SSA completed an inventory of all programs, systems, and subsystems. SSA\nidentified an inventory of 20 major systems, consisting of 14 general support systems\nand 6 major application systems, as well as over 300 subsystems. Each subsystem\nwas listed with the corresponding system(s) it supported.\n\nSSA\xe2\x80\x99s CSO used a systems inventory from its Year 2000 effort as a baseline. The\nAgency compared this baseline to the systems and subsystems in its National\nComputer Center\xe2\x80\x99s Business Impact Analysis and its ENDEVOR tool. ENDEVOR is an\n9\n  NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems,\n   November 2001.\n10\n   OMB Memorandum M-04-25, Reporting Instructions for the Federal Information Security Management\n   Act, August 23, 2004, page 14.\n11\n   OMB Memorandum M-04-25, Reporting Instructions for the Federal Information Security\n   Management Act and Updated Guidance on Quarterly IT Security Reporting, August 23, 2004, page 14.\n12\n   Pub. L. No. 107-347, Title III, Sec. 305(c)(2).\n\x0cPage 5 \xe2\x80\x93 The Commissioner\n\n\nintegrated set of management tools used to control and monitor SSA\xe2\x80\x99s application\ndevelopment and production implementation processes. The Office of the CSO worked\nwith OTSO to ensure all subsystems were included in the systems inventory and any\nobsolete systems were removed from the inventory. From these efforts, SSA\ndeveloped its systems inventory. We reviewed the process and the systems and\nsubsystems in the inventory. We performed limited testing of the inventory to determine\nwhether it included all subsystems. When we brought the items that were omitted from\nthe inventory to the Agency\xe2\x80\x99s attention, SSA added the items to the inventory. The\ninventory appears complete and no additional subsystems have come to our attention\nthat would lead us to believe additional items were omitted from this listing. SSA plans\nto create a systems update policy to ensure the list is maintained and kept current. The\nAgency is developing an appropriate methodology to maintain the inventory.\n\nSSA CERTIFICATION AND ACCREDITATION PROCESS APPEARS TO COMPLY\nWITH FISMA AND NIST GUIDANCE\n\nNIST Special Publication (SP) 800-37 provides guidelines for the Federal Government\nto certify and accredit its information systems. The Publication states \xe2\x80\x9cSecurity\ncertification and accreditation are important activities that support a risk management\nprocess and are an integral part of an agency\xe2\x80\x99s information security program.\xe2\x80\x9d13 The\nsecurity accreditation is management\xe2\x80\x99s approval to put a system into operation and its\nacceptance of any risk that will occur.14 The security accreditation must be prepared for\neach major system and must include an approved system security plan, security\nassessment reports, and POA&Ms.15\n\nSSA system managers prepared the C&A for the major systems, which included the\ndocumentation required by NIST SP 800-37. We reviewed the 20 C&As for the major\nsystems. The C&As appear to be in compliance with NIST SP 800-37. SSA must\nensure these 20 C&As are updated every 3 years or when a significant change occurs\nand that new C&As are prepared for any new major system. Nothing came to our\nattention that led us to believe there were any significant omissions from the C&A\nprocess. As a result, over 90 percent of the Agency\xe2\x80\x99s major systems and subsystems\nwere covered by the C&As. See Appendix E for the complete list of major systems that\nwere certified and accredited in FY 2004.\n\nSSA NEEDS TO DEVELOP AN INFORMATION SECURITY TRAINING\nMETHODOLOGY\n\nAccording to FISMA and OMB guidance, agencies are required to report on the extent\nof security training provided during the reporting period.16 This includes security\n\n13\n   NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal\n   Information Systems, May 2004, page 1.\n14\n   Id.\n15\n   Id, page 21.\n16\n   OMB Memorandum M-04-25, Reporting Instructions for the Federal Information Security Management\n   Act, August 23, 2004, Section G.\n\x0cPage 6 \xe2\x80\x93 The Commissioner\n\n\nawareness training provided to all employees and information security training provided\nto employees with specialized security responsibilities. We found that SSA provides\nspecialized security training for those employees with extensive security responsibilities\nand security awareness training for other employees to perform their normal duties.\nSSA currently accumulates this information manually to comply with FISMA. However,\nit is difficult to manage the security training program without a sound methodology in\nplace.\n\nSSA is developing a methodology to more accurately track the IT security training\nprovided to each employee. This information should identify the title, date and cost of\nthe training provided. The Agency decided to modify its Human Resources\nManagement Information System to track security training, but this change is not yet\ncomplete. When a system or methodology is implemented, it is expected to enhance\nSSA\xe2\x80\x99s ability to manage its information system security training program.\n\nSSA NEEDS TO IMPROVE ITS CONTINUITY OF OPERATIONS PLANS\nPROCESSES AND PROCEDURES\n\nSSA has not fully coordinated and tested its COOP. FISMA codifies a longstanding\npolicy requirement that each agency\xe2\x80\x99s security program and security plan include the\nprovision for a COOP for information systems that support the operations and assets of\nthe agency.17\n\nSSA continues to address its COOP issues for the entire Agency. For example, SSA\nparticipated in the Government-wide disaster recovery exercise (DRE) known as\nForward Challenge. DRE gave SSA an opportunity to test its COOP at an executive\nlevel. SSA executives were involved in this exercise, but it did not flow down to the front\nline field workers. We determined that there are still some deficiencies and weaknesses\nwith SSA\xe2\x80\x99s COOP and DRE. While detailed COOPs were completed and/or updated\nduring FY 2004, they were not fully tested. Furthermore, the COOP did not address\ninformation and information systems provided or managed by other agencies,\ncontractors, or other sources. For example, SSA relies heavily upon other Federal and\nState government agencies such as the Department of the Treasury (Treasury) and the\nState Disability Determination Services. In the event of a disaster, SSA is uncertain as\nto the availability of these agencies. SSA plans to coordinate and complete a DRE with\nTreasury\xe2\x80\x99s Financial Management Services next year.\n\n\n\n\n17\n     Pub. L. No. 107-347, Title III, Sec 301 \xc2\xa7 3544(b)(8).\n\x0cPage 7 \xe2\x80\x93 The Commissioner\n\n\nCONCLUSIONS AND RECOMMENDATIONS\n\nDuring our FY 2004 FISMA evaluation, we determined that SSA generally met the\nrequirements of FISMA and the security requirements of the PMA eGovernment\ninitiative. SSA worked cooperatively with the OIG to identify ways to comply with\nFISMA and the eGovernment initiative. SSA has developed and implemented a wide\nrange of security policies, plans, and practices to safeguard its systems, operations, and\nassets. To fully comply and ensure future compliance with FISMA and other information\nsecurity related laws and regulations, we recommend SSA:\n\n1. Continue to ensure the ASSERT system is in compliance with the Agency\xe2\x80\x99s policies,\n   and properly identifies, tracks, and reports the remediation of all system deficiencies.\n   The ASSERT tool should generate POA&Ms which should be monitored to ensure\n   that deficiencies are resolved.\n\n2. Create policy to ensure that the systems inventory is maintained and accurately\n   reflects the current systems and subsystems operated by SSA.\n\n3. Continue to ensure that C&As are properly updated every 3 years or when a\n   significant change occurs and new C&As are prepared for any new major system.\n\n4. Continue to implement a methodology to track and monitor IT security training and\n   awareness.\n\n5. Continue to implement a complete and coordinated COOP for the Agency, which is\n   tested on a regular basis.\n\n\n\n\n                                                        S\n                                                        Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Office of the Inspector General\xe2\x80\x99s Completion of Office of Management\n             and Budget Questions concerning Social Security Administration\xe2\x80\x99s\n             Compliance with the Federal Information Security Management Act\n\nAPPENDIX C \xe2\x80\x93 Background and Current Security Status\n\nAPPENDIX D \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX E \xe2\x80\x93 Systems Certified and Accredited in Fiscal Year 2004\n\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                            Appendix A\n\nAcronyms\nASSERT        Automated Security Self-Evaluation and Remediation Tracking\nC&A           Certification and Accreditation\nCIO           Chief Information Officer\nCOOP          Continuity of Operations Plan\nCSO           Chief Security Officer\nDDS           Disability Determination Services\nDRE           Disaster Recovery Exercise\neGovernment   Electronic Government\nFISMA         Federal Information Security Management Act\nFY            Fiscal Year\nGAO           Government Accountability Office\nGISRA         Government Information Security Reform Act\nIG            Inspector General\nIT            Information Technology\nNIST          National Institute of Standards and Technology\nOIG           Office of the Inspector General\nOMB           Office of Management and Budget\nOPSS          Office of Protective Security Services\nOTSO          Office of Telecommunication and Systems Operations\nPMA           President\xe2\x80\x99s Management Agenda\nPOA&M         Plan of Action and Milestones\nPwC           PricewaterhouseCoopers LLP\nSP            Special Publication\nSSA           Social Security Administration\nSUMS          Social Security Unified Measurement System\nTreasury      Department of the Treasury\nUS-CERT       United States Computer Emergency Readiness Team\n\x0c                                                                               Appendix B\n\nOffice of the Inspector General\xe2\x80\x99s Completion of\nOffice of Management and Budget Questions\nconcerning Social Security Administration\xe2\x80\x99s\nCompliance with the Federal Information Security\nManagement Act\nA. System Inventory and Information Technology (IT) Security\n   Performance\nA.1. By bureau (or major agency operating component), identify the total number of\nprograms and systems in the agency and the total number of contractor operations or\nfacilities. The agency Chief Information Officers (CIO) and Inspector Generals (IG) shall\neach identify the total number that they reviewed as part of this evaluation in Fiscal Year\n(FY) 2004. National Institute of Standards and Technology (NIST) Special Publication\n(SP) 800-26 is to be used as guidance for these reviews.\n                                        A.1.a.                   A.1.b.                   A.1.c.\n\n                                   FY04 Programs            FY04 Systems           FY04 Contractor\n                                                                                    Operations or\n                                                                                       Facilities\n                                 Total       Number       Total       Number       Total      Number\n       Bureau Name              Number      Reviewed     Number      Reviewed     Number Reviewed\nSSA                                 8            8          20            20          6            6\nAgency Total                        8            8          20            20          6            6\nComments:\nA.1.a. FY04 Programs\nThese programs are:\n\xe2\x80\xa2 Retirement insurance;\n\xe2\x80\xa2 Survivors insurance;\n\xe2\x80\xa2 Disability insurance;\n\xe2\x80\xa2 Hospital and medical insurance for the aged, disabled, and those with end-stage renal disease;\n\xe2\x80\xa2 Supplemental security income;\n\xe2\x80\xa2 Special Veterans Benefits;\n\xe2\x80\xa2 Unemployment insurance; and\n\xe2\x80\xa2 Public assistance and welfare services.\nA.1.b. FY04 Systems\nThe Agency has identified 20 major systems and applications that are considered significant to the\nAgency\xe2\x80\x99s ability to support the Social Security Programs. All 20 systems were included in the\ncertification and accreditation (C&A) process in FY 04. See Appendix E for a complete list of the\nsystems and applications that the Agency considers to be critical to its ability to support the Social\nSecurity Programs.\n\n                                           B-1\n\x0cA.2. For each part of this question, identify actual performance in FY04 for the total\nnumber of systems by bureau (or major agency operating component) in the format\nprovided below.\n\n                    A.2.a.             A.2.b.               A.2.c.             A.2.d.           A.2.e.\n\n               Number of          Number of              Number of         Number of        Number of\n                systems          systems with           systems for      systems with a    systems for\n              certified and         security          which security      contingency         which\n               accredited        control costs         controls have          plan         contingency\n                                integrated into         been tested                         plans have\n                                 the life cycle        and evaluated                       been tested\n                                 of the system        in the last year\n Bureau      Total Percent   Total Percent   Total Percent   Total Percent Total Percent\n Name       Number of Total Number of Total Number of Total Number of Total Number of Total\nSSA            20       100 %     20       100 %       20       100 %     19       95 %    18       90 %\nAgency\nTotal     20            100 %     20       100 %       20       100 %     19       95 %    18       90 %\nComments:\n\nA.2.a. Number of systems certified and accredited\nThere were 20 systems certified and accredited in FY 2004. These systems are listed in\nAppendix E.\n\nA.2.d. All of the 20 major systems have contingency plans except for the Social Security\nUnified Measurement System (SUMS). SUMS was recently released to production.\n\nA.2.e. All of the major systems were included in FY 2004 Disaster Recovery Exercise except\nSUMS and Disability Case Adjudication and Review System.\n\nA.3. Evaluate the degree to which the following statements reflect the status in your\nagency, by choosing from the responses provided in the drop down menu. If\nappropriate or necessary, include comments in the Comment area provided below.\n\n                              Statement                                             Evaluation\n\na. Agency program officials and the Agency CIO have used\nappropriate methods to ensure that contractor provided\n                                                                            Mostly, or 81-95% of the\nservices or services provided by another agency for their\n                                                                                       time\nprogram and systems are adequately secure and meet the\nrequirements of FISMA, OMB policy and NIST guidelines,\nnational security policy, and agency policy.\nb. The reviews of programs, systems, and contractor\n                                                                            Mostly, or 81-95% of the\noperations or facilities, identified above, were conducted using\n                                                                                      time\nthe NIST self-assessment guide, 800-26.\n\n\n                                                B-2\n\x0c                           Statement                                        Evaluation\n\nc. In instances where the NIST self-assessment guide was not         Mostly, or 81-95% of the\nused to conduct reviews, the alternative methodology used                       time\naddressed all elements of the NIST guide.\n\nd. The agency maintains an inventory of major IT systems and           Almost Always, or 96-\nthis inventory is updated at least annually.                             100% of the time\ne. The OIG was included in the development and verification of         Almost Always, or 96-\nthe agency\xe2\x80\x99s IT system inventory.                                        100% of the time\nf. The OIG and the CIO agree on the total number of programs,        Mostly, or 81-95% of the\nsystems, and contractor operations or facilities.                               time\ng. The agency CIO reviews and concurs with the major IT\n                                                                       Almost Always, or 96-\ninvestment decisions of bureaus (or major operating\n                                                                         100% of the time\ncomponents) within the agency.\n\n                           Statement                                        Yes or No\n\nh. The agency has begun to assess systems for\n                                                                                Yes\ne-authentication risk.\ni. The agency has appointed a senior agency information\n                                                                                Yes\nsecurity officer that reports directly to the CIO.\nComments:\n\nA.3.a. \xe2\x80\x93 SSA\xe2\x80\x99s Office of Protective Security Services (OPSS) is notified when new contracts\nare awarded to service providers and is responsible for scheduling site visits to evaluate and\nreport on adequacy of security at the facility. OPSS also has a procedure in place that\nensures that it or a sub-contractor audit firm reviews between 230 and 240 different facilities\nthroughout the year. Such a review process follows an abbreviated form of the NIST and\nOMB guidelines as necessary for the facility. These reviews may include visits to SSA Field\nOffices and Regional Offices, State DDSs, and nongovernmental agencies. Further, the OIG\nperformed reviews of DDSs.\n\nA.3.b. -SSA follows NIST SP 800-26 guidelines as part of the C&A process for all significant\napplications and programs. The Agency uses an abbreviated form of the same NIST\nguidelines for those entities or facilities that the Agency has not identified as \xe2\x80\x9csignificant.\xe2\x80\x9d\n\n\n\n\n                                            B-3\n\x0cB.     Identification of Significant Deficiencies\n\nB.1. By bureau, identify all FY04 significant deficiencies in policies, procedures, or\npractices required to be reported under existing law. Describe each on a separate row,\nand identify which are repeated from FY03. In addition, for each significant deficiency,\nindicate whether a Plan of Action and Milestones (POA&M) has been developed. Insert\nrows as needed.\n\n\n                                         FY04 Significant Deficiencies\n                      Total\n                     Number                                                            POA&M\n             Total  Repeated                  Identify and Describe Each             Developed?\nBureau Name Number from FY03                     Significant Deficiency               Yes or No\n   Social\n  Security\nAdministration\n\nAgency Total         0           0\nComments:\n\nThe Agency has a process in place that identifies security weaknesses noted during the\ncourse of audits and evaluations. SSA uses this information to create POA&Ms in\naccordance with OMB guidelines. The SSA Chief Security Officer (CSO) oversees this\nprocess and is responsible for the identification of all security findings from all audit reports\nor evaluations. It is the decision of the Agency to log and track in a central system, those\nsecurity weaknesses that result in developing a POA&M.\n\nIn FY 2004, the Agency began the implementation of a centralized system to track security\nweaknesses and their resolution. The system is from SRA, Inc. and is known as Automated\nSecurity Self-Evaluation and Remediation Tracking (ASSERT). The system is based on\nNIST SP 800-26. This off-the-shelf system is used by Agency components responsible for\nthe critical systems to document specific weaknesses identified during the NIST SP 800-26\nreview, audits, risk assessments, application reviews or any such system evaluation\nprocess. SSA will use the system to report to OMB the number and status of security\nweaknesses that resulted in the development of POA&Ms.\n\nPrior to implementation of ASSERT, the Agency components completed the NIST SP 800-\n26 questionnaires manually and submitted them to the CIO in the C&A packages. The CIO\nmanually prepared the POA&Ms and submitted them to OMB. With the introduction of\nASSERT, the process will be electronically entered and managed. According to SSA,\nASSERT is scheduled to be fully implemented and used for the preparation of the FY 2005\nfirst quarter OMB POA&M update. ASSERT will include the components\xe2\x80\x99 NIST SP 800-26\nquestionnaires.\n\n\n\n\n                                            B-4\n\x0cC.    OIG Assessment of the POA&M Process\n\nC.1. Through this question, and in the format provided below, assess whether the\nagency has developed, implemented, and is managing an agency-wide POA&M\nprocess. This question is for IGs only. Evaluate the degree to which the following\nstatements reflect the status in your agency by choosing from the responses provided in\nthe drop down menu. If appropriate or necessary, include comments in the Comment\narea provided below.\n\n                    Statement                                      Evaluation\na. Known IT security weaknesses, from all\n                                                      Almost Always, or 96-100% of the time\n   components, are incorporated into the POA&M.\nb. Program officials develop, implement, and\n   manage POA&Ms for systems they own and\n                                                      Almost Always, or 96-100% of the time\n   operate (systems that support their program or\n   programs) that have an IT security weakness.\nc. Program officials report to the CIO on a regular\n   basis (at least quarterly) on their remediation    Almost Always, or 96-100% of the time\n   progress.\nd. CIO develops, implements, and manages\n   POA&Ms for every system they own and\n                                                      Almost Always, or 96-100% of the time\n   operate (a system that supports their program\n   or programs) that has an IT security weakness.\ne. CIO centrally tracks, maintains, and reviews\n                                                      Almost Always, or 96-100% of the time\n   POA&M activities on at least a quarterly basis.\nf. The POA&M is the authoritative agency and IG\n    management tool to identify and monitor\n                                                     Almost Always, or 96-100% of the time\n    agency actions for correcting information and IT\n    security weaknesses.\ng. System-level POA&Ms are tied directly to the\n    system budget request through the IT business\n                                                     Almost Always, or 96-100% of the time\n    case as required in OMB budget guidance\n    (Circular A-11).\nh. OIG has access to POA&Ms as requested.             Almost Always, or 96-100% of the time\n\ni. OIG findings are incorporated into the POA&M\n                                                      Almost Always, or 96-100% of the time\n    process.\nj. POA&M process prioritizes IT security\n    weaknesses to help ensure that significant IT\n                                                      Almost Always, or 96-100% of the time\n    security weaknesses are addressed in a timely\n    manner and receive appropriate resources.\nComments:\n\nSee Comments to B.1 for detailed discussion of POA&M process\n\n\n\n                                              B-5\n\x0cC.2 OIG Assessment of the Certification and Accreditation Process Section C should\nonly be completed by the OIG. OMB is requesting IGs assess the agency\xe2\x80\x99s certification\nand accreditation process to provide a qualitative assessment of this critical activity.\nThis assessment should consider the quality of the Agency\xe2\x80\x99s certification and\naccreditation process. Any new certification and accreditation work initiated after\ncompletion of NIST SP 800-37 should be consistent with NIST SP 800-37. This\nincludes use of the Federal Information Processing Standards Publication 199,\n\xe2\x80\x9cStandards for Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d\nto determine an impact level, as well as associated NIST documents used as guidance\nfor completing risk assessments and security plans. Earlier NIST guidance is applicable\nto any certification and accreditation work completed or initiated before finalization of\nNIST SP 800-37. Agencies were not expected to use NIST SP 800-37 as guidance\nbefore it became final.\n\n                        Statement                                   Evaluation\nAssess the overall quality of the Agency\'s certification            Satisfactory\nand accreditation process.                                       (generally met the\n                                                              requirements of FISMA,\n                                                                  NIST, and PMA)\nComments:\n\nSSA identified 20 major applications and systems that are considered significant to\nthe Agency\'s ability to support its mission. All 20 C&A managers reviewed their\nsystems and prepared the C&A packages. The C&A packages compiled for the CIO\nincluded:\n\n \xc2\x83   Risk Assessments at least once every 3 years or before implementing a\n     significantly modified application into production.\n \xc2\x83   Security Plan.\n \xc2\x83   Completion of the NIST SP 800-26 questionnaire.\n \xc2\x83   Certification by appropriate component management that the application or\n     system complies with Federal, OMB, NIST, etc. requirements.\n \xc2\x83   Final sign-off for completeness of the C&A package by CIO.\n\n The Agency plans to use ASSERT to complete the NIST SP 800-26 questionnaires.\n Currently, the questionnaires are prepared manually.\n\n\n\n\n                                           B-6\n\x0cD.    Agency-Wide Security Configuration\n\nD.1. First, answer D.1. If the answer is yes, then proceed. If no, then skip to Section E.\nFor D.1.a-f, identify whether agency-wide security configuration requirements address\neach listed application or operating system (Yes, No, or Not Applicable), and then\nevaluate the degree to which these configurations are implemented on applicable\nsystems. For example: If your agency has a total of 200 systems, and 100 of those\nsystems are running Windows 2000, the universe for evaluation of degree would be\n100 systems. If 61 of those 100 systems follow configuration requirement policies, and\nthe configuration controls are implemented, the answer would reflect "yes" and\n"51-70%". If appropriate or necessary, include comments in the Comment area\nprovided below.\n\n                                                       Yes\n                                                      or No           Evaluation\n\nD.1. Has the CIO implemented agency-wide\npolicies that require detailed specific security\n                                                       Yes\nconfigurations and what is the degree by which the\nconfigurations are implemented?\n                                                              Almost Always, or 96-100%\n     a. Windows XP Professional                         Yes\n                                                              of the time\n                                                              Almost Always, or 96-100%\n     b. Windows NT                                      Yes\n                                                              of the time\n                                                              Almost Always, or 96-100%\n     c. Windows 2000 Professional                       Yes\n                                                              of the time\n                                                              Almost Always, or 96-100%\n     d. Windows 2000                                    Yes\n                                                              of the time\n                                                              Almost Always, or 96-100%\n     e. Windows 2000 Server                             Yes\n                                                              of the time\n\n     f. Windows 2003 Server                             No    Rarely, or 0-50% of the time\n\n                                                              Almost Always, or 96-100%\n     g. Solaris                                         Yes\n                                                              of the time\n                                                              Almost Always, or 96-100%\n     h. HP-UX                                           Yes\n                                                              of the time\n     i. Linux                                           N/A   Not applicable\n                                                              Almost Always, or 96-100%\n     j. Cisco Router IOS                                Yes\n                                                              of the time\n     k. Oracle                                          No    Rarely, or 0-50% of the time\n\n\n                                           B-7\n\x0c                                                       Yes\n                                                      or No            Evaluation\n\n                                                               Almost Always, or 96-100%\n     l.a. Other. Specify: IBM AS/400 (AIX)              Yes\n                                                               of the time\n     l.b. Other. Specify: UNISYS (UNIX)                 Yes    Rarely, or 0-50% of the time\n     l.c. Other. Specify: IBM zOS                       No     Rarely, or 0-50% of the time\nComments:\nD1.i. The Agency does not use or support Linux.\nD.1.k. The Oracle application is installed and in operation on a UNIX platform.\n        The Agency has developed a UNIX risk model.\nD.1. I. The Agency supports IBM AS/400, Unisys servers, and IBM mainframes.\n        There is a standard profile in place for AS/400 and Unisys servers, but not for\n        the mainframes. The standard has not been consistently enforced for the\n        Unisys hardware.\n\nD.2. Answer Yes or No, and then evaluate the degree to which the configuration\nrequirements address the patching of security vulnerabilities. If appropriate or\nnecessary, include comments in the Comment area provided below.\n\n                                                      Yes or\n                                                       No              Evaluation\nD.2. Do the configuration requirements\nimplemented above in D.1.a-f., address patching of     Yes     Mostly, or 81-95% of the time\nsecurity vulnerabilities?\nComment:\n\nPatch management procedures address patches in multiple ways. One is to\nautomatically implement patches to hardware through a software solution. This ensures\nthat patches are implemented in a timely manner. The other is to make the patches\navailable. Then, when a hardware "owner" logs onto the system from the Agency\nnetwork, they are expected to identify the patches needed, download the patches, and\ninstall them at that first session.\n\n\n\n\n                                           B-8\n\x0cE.       Incident Detection and Handling Procedures\n\nE.1. Evaluate the degree to which the following statements reflect the status at your\nagency. If appropriate or necessary, include comments in the Comment area provided\nbelow.\nStatement                                                     Evaluation\na. The agency follows documented policies and                 Almost Always, or 96-100% of\n   procedures for reporting incidents internally.             the time\nb. The agency follows documented policies and                 Almost Always, or 96-100% of\n   procedures for external reporting to law enforcement       the time\n   authorities.\nc. The agency follows defined procedures for reporting to Almost Always, or 96-100% of\n   the United States Computer Emergency Readiness             the time\n   Team (US-CERT). http://www.us-cert.gov\nE.2. Incident Detection Capabilities.\n                                                                Number of       Percentage\n                                                                 Systems          of Total\n                                                                                 Systems\na. How many systems underwent vulnerability scans and                20            100 %\n   penetration tests in FY04?\nb. Specifically, what tools, techniques, technologies, etc., does the agency use to mitigate\n   IT security risk?\n\n     The Agency uses a combination of automated tools, system monitoring techniques and\n     network penetration-type reviews to identify malicious activity and security weaknesses.\n     Some of the specific tools are as follows:\n\n               \xc2\x83   DumpACL\n               \xc2\x83   Ettercap, a packet sniffer\n               \xc2\x83   Harris Stat, a vulnerability scanner\n               \xc2\x83   Nmap, network port scanner and operating system identifier\n               \xc2\x83   Phonesweep, a commercial wardialer\n               \xc2\x83   Whisker, common gateway interface vulnerability scanner\n\n\n\n\n                                             B-9\n\x0cF.     Incident Reporting and Analysis\n\nF.1. For each category of incident listed: identify the total number of successful\nincidents in FY04, the number of incidents reported to US-CERT, and the number\nreported to law enforcement. If your agency considers another category of incident\ntype to be high priority, include this information in category VII, "Other." If appropriate or\nnecessary, include comments in the Comment area provided below.\n\n                                            F.1. Number of Incidents, by category:\n                                          F.1.a.           F.1.b.              F.1.c.\n                                        Reported         Reported to       Reported to law\n                                        internally        US-CERT           enforcement\n\nI.   Root Compromise                        0                  0                   0\nII. User Compromise                         0                  0                   0\nIII. Denial of Service Attack               0                  0                   0\nIV. Website Defacement                      0                  0                   0\nV. Detection of Malicious Logic             0                  0                   0\nVI. Successful Virus/Worm\n    Introduction                            0                  0                   0\nVII. Other                                  0                  0                   0\n\n                            Totals:         0                  0                   0\n\n\n\n\n                                            B-10\n\x0cF.2 Identify the number of systems affected by each category of incident in FY04. If\nappropriate or necessary, include comments in the Comment area provided below.\n\n                                   F.2. Number of systems affected, by category, on:\n                                      F.2.a.          F.2.b.               F.2.c.\n                                   Systems with      Systems            How many\n                                   complete and      without            successful\n                                    up-to-date     complete and     incidents occurred\n                                       C&A          up-to-date           for known\n                                                       C&A           vulnerabilities for\n                                                                    which a patch was\n                                                                         available?\n\nI.   Root Compromise                    0                 0                   0\nII. User Compromise                     0                 0                   0\nIII. Denial of Service Attack           0                 0                   0\nIV. Website Defacement                  0                 0                   0\nV. Detection of Malicious Logic         0                 0                   0\nVI. Successful Virus/Worm\n    Introduction                        0                 0                   0\nVII. Other                              0                 0                   0\n\n\n                         Totals:        0                 0                   0\nComments:\n\nThere were multiple critical system scans accomplished during the course of FY 2004,\nincluding those completed by OIG during the FY 2004 Financial Statement Audit. This\nincluded scans of the computers at certain field locations during the Financial Statement\nAudit. SSA identified these "events" and took action to investigate and analyze them.\nHowever, SSA did not consider these events to be reportable based on the\ninterpretation of this category, and did not include these events in any of the noted\ncategories.\n\n\n\n\n                                            B-11\n\x0cG.      Training\nG.1 Has the agency CIO ensured security training and awareness of all employees,\nincluding contractors and those employees with significant IT security responsibilities? If\nappropriate or necessary, include comments in the Comment area provided below.\n\n     G.1.a.           G.1.b.                G.1.c.                  G.1.d.         G.1.e.    G.1.f.\n\n    Total    Employees that     Total number     Employees with       Briefly    Total\n number of received IT security of employees significant security describe costs for\n employees awareness training with significant responsibilities that training providing\n  in FY04      in FY04, as       IT security   received specialized provided       IT\n            described in NIST responsibilities      training, as                security\n                SP 800-50                       described in NIST             training in\n                                                  SP 800-50 and                  FY04\n                                                       800-16                   (in $\'s)\n               Number    Percentage                       Number Percentage\n\n                                                                                    See\n     65,312    65,242      99.89%            345           331         95.94%              $603,695\n                                                                                  comments\n                                                   G.2.\n                                                                      Yes or No\n\n\na. Does the agency explain policies regarding peer-to-peer file\n   sharing in IT security awareness training, ethics training, or        Yes\n   any other agency wide training?\nComments:\n\nG.1.b Annually, SSA employees are required to acknowledge that they have read and\nunderstand the Sanctions for Unauthorized System Access Violations policy as their security\nawareness training.\n\nG.1.e. The following is a partial list of the security-oriented courses taken by Agency staff\nduring FY 2004 who had job duties that included significant security responsibilities:\n\n\xc2\x83     Active Directory;\n\xc2\x83     Auditing Your Information Security Program;\n\xc2\x83     Certified Information Systems Security Professional (CISSP) Workshop;\n\xc2\x83     Computer Security Awareness;\n\xc2\x83     Computer Security Program Manager Forum;\n\xc2\x83     Defense Against Social Engineering;\n\xc2\x83     Ethical Hacking and Assessment; and\n\xc2\x83     Focus on FISMA III Symposium.\n\n\n\n                                              B-12\n\x0c                                                                               Appendix C\n\nBackground and Current Security Status\nThe Federal Information Security Management Act (FISMA) requires agencies to create\nprotective environments for their information systems. It does so by creating a\nframework for annual Information Technology (IT) security reviews, vulnerability\nreporting, and remediation planning.1 Since 1997, the Social Security Administration\n(SSA) has had an internal controls reportable condition concerning its protection of\ninformation.2 The resolution of this reportable condition remains a priority for the\nAgency. SSA is working with the Office of the Inspector General (OIG) and\nPricewaterhouseCoopers LLP (PwC) to develop an approach to resolve this reportable\ncondition and other issues observed during the past FISMA reviews.\n\nIn August 2001, the President\xe2\x80\x99s Management Agenda (PMA) was initiated to improve\nthe management and performance of Government. The Agenda\xe2\x80\x99s guiding principles are\nthat Government services should be citizen-centered, results-oriented, and market\nbased. The Office of Management and Budget (OMB) developed a traffic light\nscorecard to show the progress agencies made: green for success, yellow for mixed\nresults, and red for unsatisfactory. One of the five Government-wide initiatives is to\nincrease the number of Government services available to the public electronically\nthrough the Internet. This initiative is known as expanded Electronic Government or\neGovernment. SSA\xe2\x80\x99s current status is yellow and its score for progress in implementing\neGovernment services is green. FISMA requires agencies to take a risk-based, cost-\neffective approach to securing their information and systems, and assists Federal\nagencies in meeting their responsibilities under the PMA. FISMA reauthorized the\nframework laid in the Government Information Security Reform Act (GISRA), which\nexpired in November 2002.3 In addition to the previous GISRA requirements, FISMA\nauthorizes the National Institute of Standards and Technology to develop standards for\nagency systems and security programs.4 SSA has committed significant resources on\ngetting to green on the eGovernment initiative.\n\nFISMA also requires agencies to prepare and submit plan of action and milestones\n(POA&M) reports for all programs and systems where an IT security weakness was\nfound.5 The purpose of the POA&M is to assist agencies in identifying, assessing,\nprioritizing, and monitoring the progress of corrective efforts for reported security\nweaknesses. POA&M reports support the effective remediation of IT security\nweaknesses, which is essential to achieving a mature and sound IT security program\n\n1\n    Pub. L. No. 107-347, Title III, Sec. 301, \xc2\xa7 3544.\n2\n    SSA\xe2\x80\x99s FY 2003 Performance and Accountability Report, page 183.\n3\n    Pub. L. No. 106-398.\n4\n    Pub. L. No. 107-347, Title III, Sec. 301, \xc2\xa7 3543 (a)(3).\n5\n    OMB Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Information Security\n    Management Act, August 23, 2004, page 14.\n\n\n\n                                               C-1\n\x0cand securing agency information and systems. FISMA now requires an OIG\xe2\x80\x99s\nevaluation of the Agency\xe2\x80\x99s POA&M process.6 This evaluation is instrumental in\nenabling the Agency to get to green under the eGovernment scorecard of the PMA.\n\n\n\n\n6\n    Id., page 12.\n\n\n                                      C-2\n\x0c                                                                               Appendix D\n\nScope and Methodology\nThe Federal Information Security Management Act (FISMA) directs each agency\xe2\x80\x99s\nOffice of the Inspector General (OIG) to perform an annual, independent evaluation of\nthe agency\xe2\x80\x99s information security program and practices, as well as a review of an\nappropriate subset of agency systems.1 The Social Security Administration (SSA) OIG\ncontracted with PricewaterhouseCoopers LLP (PwC) to audit SSA\xe2\x80\x99s Fiscal Year (FY)\n2004 financial statements. Because of the extensive internal control system work that is\ncompleted as part of that audit, our FISMA review requirements were incorporated into\nthe PwC financial statement audit contract. This audit included Federal Information\nSystem Controls Audit Manual-level reviews of SSA\xe2\x80\x99s mission critical sensitive systems.\nPwC performed an \xe2\x80\x9cagreed-upon procedures\xe2\x80\x9d engagement using FISMA, the Office of\nManagement and Budget (OMB) guidance,2 National Institute of Standards and\nTechnology (NIST) guidance, and other relevant security laws and regulations as a\nframework to complete the OIG required review of SSA\xe2\x80\x99s information security program\nand practices and its sensitive systems. Part of the field work included the completion\nof the NIST Security Self-Assessment Guide for Information Technology Systems.3\n\nIn addition, we evaluated the Agency\xe2\x80\x99s compliance with the President\xe2\x80\x99s Management\nAgenda, specifically, the Electronic Government initiative, and determined whether the\nAgency had developed, implemented, and managed an Agency-wide plan of action and\nmilestones (POA&M) process.\n\nThe results of our FISMA evaluation were based on the PwC FY 2004 FISMA Agreed-\nUpon Procedures report and working papers, various audits and evaluations performed\nby the Agency, contractors including PwC, and this office. We also reviewed the final\ndraft of SSA\'s FY 2004 Security Program Review.4\n\nA major focus of our review was an evaluation of SSA\xe2\x80\x99s POA&M, certification and\naccreditation (C&A), and systems inventory processes. Our evaluation of SSA\xe2\x80\x99s\nPOA&M process included an analysis of Automated Security Self-Evaluation and\nRemediation Tracking system and its policies. Our review of the Agency\xe2\x80\x99s C&A process\nincluded an analysis of all C&As for the 20 major systems. Our review of the systems\ninventory process included a review of the subsystems within the new inventory and a\ncomparison of this new inventory to other listings of Agency\xe2\x80\x99s subsystems.\n\nWe performed field work at SSA facilities nationwide from March through September\n2004. This evaluation was performed in accordance with generally accepted\ngovernment auditing standards.\n\n1\n  Pub. L. No. 107-347, Title III, Sec. 301, \xc2\xa7 3545.\n2\n  OMB Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Information Security\n  Management Act, August 23, 2004.\n3\n  NIST Special Publication 800-26 Security Self-Assessment Guide for Information Technology Systems,\n  November 2001.\n4\n  FY 2004 Security Program Review, provided to our office on August 27, 2004.\n\x0c                                                                      Appendix E\n\nSystems Certified and Accredited in FY 2004\n#                             System                                   Acronym\n                 General Support Systems\n1   Audit Trail System                                        ATS\n2   Comprehensive Integrity Review Process                    CIRP\n\n3   Death Alert Control & Update System                       DACUS\n\n4   Debt Management System                                    DMS\n\n5   Disability Case Adjudication and Review System            DICARS\n\n6   Disability Control File System                            DCFS\n\n7   Enterprise Wide Area Network and Services System          EWANSS\n8   FALCON Data Entry System                                  FALCON\n\n9   Human Resources Management Information System             HRMIS\n\n10 Integrated Client Database                                 ICDB\n\n11 Logiplex Security Access Systems                           LSAS\n\n12 Recovery of Overpayments, Accounting, & Reporting System   ROAR\n\n13 Social Security Online Accounting and Reporting System     SSOARS\n14 Social Security Unified Measurement Systems                SUMS\n\n                      Major Applications\n1   Accelerated Electronic Disability System                  AeDib\n2   Earnings Record Maintenance System                        ERMS\n3   Retirement, Survivors & Disability Insurance System -     RSDI \xe2\x80\x93 Accounting\n    Accounting\n4   SSN Establishment & Correction System                     SSNECS\n5   Supplemental Security Income Records Maintenance System   SSIRMS\n\n6   Title II System\n\x0c                                                                        Appendix F\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kitt Winter, Director, Data Analysis and Technology Audit Division\n   (410) 965-9702\n\n   Al Darago, Acting Director, Data Analysis and Technology Audit Division\n   (410) 965-9710\n\n   Phil Rogofsky, Audit Manager, Network Security and Telecommunications Branch\n   (410) 965-9719\n\nAcknowledgments\n\nIn addition to the persons named above:\n\n       Greg Thompson, Senior Auditor\n\n       Mary Ellen Fleischman, Senior Program Analyst\n\n       Harold Hunter, Senior Auditor\n\n       Grace Chi, Auditor\n\n       Annette DeRito, Writer/Editor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-14-04-14040.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                               Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'